This campaign was stealth and did not last long thankfully, but another major attack was also being carried on around the same time, most likely by the same gang.

Working with ClarityAd, we quickly confirmed the malicious activity around 04/11 which showed a well-known ad network (merchenta) with direct ties to Google’s DoubleClick being caught in a large malvertising incident.

The latest malvertising attack was carried through merchenta, a company that provides a platform for ad exchange and direct integrations with top publishers. They boast a 28 billion monthly impressions for the US alone and work directly with top tier ad networks such as Google’s DoubleClick.

The criminals posed as an advertiser, infiltrated the platform via a third party and managed to house a malicious advert directly on merchanta’s ad platform which was fed into Google’s DoubleClick channels.

Although DoubleClick is not directly responsible for loading the malicious ad, it starts the chain of trust with the publisher, which unfortunately has little control over the subsequent transactions taking place.

Upon contacting merchenta, we received a quick response. According to them, the account used belonged to Bidable.com (another real-time bidding company) and it was one of their clients that was fraudulent.

According to merchenta, the account was terminated by 10 AM UTC April 15.

We did not collect the payload in this case but the one we observed in the other campaign was Cryptowall.

All ad networks have been informed, but the attack did last for a few days most likely infecting a significant number of people.

This latest example is yet another reminder of one of the big weaknesses with online advertising. Ad networks rely on third parties and the chain of trust can easily be broken when one rogue actor joins in.

I recently had a talk with someone who shared a very interesting story about how rogue advertisers are able to subvert security checks.

These crooks essentially pose as working for a fortune 500 company and submit a clean advert. The ad network is very interested because that will be a big customer and so they make sure to accommodate the client as much as they can.

The advert still goes through quality assurance and security tests before finally getting ready for prime time. Right before that happens, the rogue advertiser sends a new version of the ad (with only a minor change they claim) and the ad network, not wanting to lose a client, skips the checks that were already done.

It turns out that the new version of the ad is malicious and yet as full clearance to be displayed via major networks. This is just one of the many tricks rogue advertisers will use to insert themselves in the chain.

February 14, 2019 - All the recent news—from Facebook's Cambridge Analytica snafu to various abuses of Twitter vulnerabilities—has you wondering: Should I delete myself from social media? We provide advice and links on how to tighten security if you want to cool down, or, if you're ready to go nuclear, delete yourself permanently.

February 11, 2019 - A roundup of security news from February 4 – 8, including Facebook's secure messaging integration, Google's changes to URLs, a scam involving the Kindle store and John Wick, and more.

December 17, 2018 - The next major Android version will be Android Q and not Android 9.1 Pie. In parallel, Google is also developing a new operating system based on its own microkernel called Fuchsia. Will this be the OS that replaces Android? Read on to find out.